Week 43 In Review – 2016

Hack.lu
I’m back to Luxembourg for a new edition of hack.lu. In fact, I arrived yesterday afternoon to attend the MISP summit. It was a good opportunity to meet MISP users and to get fresh news about the project.

My slides from BsidesPDX’16 – firmwaresecurity.com
I gave a brief presentation at Security BSides Portland (BsidesPDX) a few days ago. Title was “Firmware Tools for Security Researchers”. Since it was only a 20-minute time slot, I only had time to cover a few tools, and didn’t get a chance to mention other noteworthy tools.

Setting up a Research Environment for IP Cameras – insinuator.net
Embedded devices often serve as an entry point for an attack on a private or corporate network. The infamous attack on HackingTeam, for example, followed exactly this path as was revealed here. Although the attack may have been for the greater good (refer also to this great keynote), such incidents demonstrate that it is important to properly secure your embedded devices.

IP Cameras Default Passwords Directory – ipvm.com
We have gathered this list of IP camera manufacturers and their default usernames and passwords to help users get started more quickly. After the list, we discuss recent changes by manufacturers as well as password security issues.

Tools

BloodHound – github.com
BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell ingestor.

Techniques

What are malicious USB keys and how to create a realistic one? – www.elie.net
Dropping a malicious USB key in a parking lot is an effective attack vector, as demonstrated by our recent large-scale study. This blog post follows up on the study by showing how reliable and realistic-looking malicious USB keys can be created.

Just Too Much Administration – Breaking JEA, PowerShell’s New Security Barrier – www.scriptjunkie.us
Just Enough Administration (JEA) is a new Windows 10/Server 2016 feature to create granular least privilege policies by granting specific administrative privileges to users, defined by built-in and script-defined PowerShell cmdlets. Microsoft’s documentation claimed JEA was a security boundary so effective you did not need to worry about an attacker stealing and misusing the credentials of a JEA user.

Extracting LastPass Site Credentials from Memory – techanarchy.net
Let me start by stating this is not an exploit or a vulnerability in LastPass. This is just extracting any data that may remain in memory during a forensics acquisition. At some point the data must be in clear.

SLACK, A Brief Journey to Mission Control – secalert.net
In order to understand the infrastructure and to gain information about the used framework I started to check the HTTP response header and saw that Slack is using an Apache httpd server. So I tried to identify common Apache directories and directives like “/icons/README”, “/manual/”, “/server-info” and “/server-status”.

Recording Keystroke Sounds Over Skype to Steal User Data – www.onthewire.io
New research from the University of California Irvine shows that an attacker, who has not compromised a target’s PC, can record the acoustic emanations of a victim’s keystrokes and later reconstruct the text of what he typed, simply by listening over a VoIP connection.

Researchers Bypass ASLR Protection on Intel Haswell CPUs – news.softpedia.com
A team of scientists from two US universities has devised a method of bypassing ASLR (Address Space Layout Randomization) protection by taking advantage of the BTB (Branch Target Buffer), a component included in many modern CPU architectures, including Intel Haswell CPUs, the processor they used for tests in their research.

How Hackers Broke Into John Podesta and Colin Powell’s Gmail Accounts – motherboard.vice.com
On March 19 of this year, Hillary Clinton’s campaign chairman John Podesta received an alarming email that appeared to come from Google. The email, however, didn’t come from the internet giant. It was actually an attempt to hack into his personal account. In fact, the message came from a group of hackers that security researchers, as well as the US government, believe are spies working for the Russian government.

Other News

Weebly hacked, 43 million credentials stolen – techcrunch.com
The web design platform Weebly was hacked in February, according to the data breach notification site LeakedSource. Usernames and passwords for more than 43 million accounts were taken in the breach, although the passwords are secured with the strong hashing algorithm bcrypt.

How Hackers Broke Into John Podesta and Colin Powell’s Gmail Accounts – motherboard.vice.com
On March 19 of this year, Hillary Clinton’s campaign chairman John Podesta received an alarming email that appeared to come from Google. The email, however, didn’t come from the internet giant. It was actually an attempt to hack into his personal account. In fact, the message came from a group of hackers that security researchers, as well as the US government, believe are spies working for the Russian government.

DDoS Attack
Major websites have gone down worldwide – the reason is still unclear but a major DNS Provider is suffering a massive DDOS Attack and experts are connecting the dots.

How Stolen iOS Devices Are Unlocked – isc.sans.edu
For a number of years now, Apple has been implementing “Activation Lock” and “Find my iPhone” to deter the theft of iOS devices. According to some statistics, this effort has had some success. But with millions of users carrying devices costing $500 and more loosely secured in their pockets, mobile devices far exceed the value of an average wallet.

Sponsors

About Us

Infosec Events is dedicated to the growing information security industry. We strive to provide useful information and resources to those in the industry. Don't hesitate to contact us should you need anything.